Polygon's 13-step multisig securing billions: Advanced governance security | Chris von Hessert

What happens when a veteran Web2 security executive turns multisig ceremony coordinator at Polygon? The result: a crash course in how Web3 security demands both old-school fundamentals and bleeding-edge vigilance in protecting billions of dollars locked on-chain.

Christopher von Hessert, VP of Security at Polygon, reveals how traditional security expertise from companies like IBM and ServiceNow translates into defending against everything from North Korean IT workers to AI-generated phishing campaigns. His journey from managing ServiceNow's global security team to orchestrating multisig upgrades from Amsterdam studios highlights the evolving demands of Web3 security leadership.

But von Hessert doesn't just protect protocols—he challenges the ethics driving the security research community. His perspective on white hat incentives, the ransomware-like behavior of some "ethical" hackers, and why the industry needs more than smart contract expertise creates a provocative framework for understanding Web3 security culture.

Topics discussed:

• Building Web3 security careers through Web2 fundamentals like red teaming, threat modeling, and offensive security rather than just smart contract auditing.
• Implementing 13-step multisig verification processes at Polygon to prevent payload manipulation and ensure transaction integrity across upgrade ceremonies.
• Identifying North Korean IT workers through interview patterns and behavioral analysis while balancing ethical concerns about legitimate remote workers.
• Challenging the "hack first, negotiate later" mentality in white hat security research as essentially ransomware behavior disguised as ethical hacking.
• Managing security priorities across Polygon's POS bridge containing billions in user funds versus newer Ag Layer interoperability protocols.
• Defending against AI-powered attack vectors including automated phishing campaigns and deepfake video calls targeting multisig signers.
• Scaling security expertise beyond smart contracts to cover consensus algorithms, client software, and core blockchain infrastructure vulnerabilities.
• Establishing threat modeling frameworks that assume employee compromise and build defense-in-depth strategies for multisig operations.
• Balancing traditional Web2 security concerns like endpoint protection and phishing training with Web3-specific risks like private key management.
• Predicting the evolution of Web3 security toward secure-by-default tooling similar to how cloud platforms eliminated common Web2 vulnerabilities.